Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total7
Critical0
High1
Medium6
Reset
Showing 1-7 of 7 records
Threat Entry Updated 2026-05-14

CVE-2026-5395 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Fluent Forms manager-level access and above, to bypass form-level access restrictions to access submissions from forms they are not authorized to view, export data from arbitrary database tables, and enumerate database table names via error message disclosure.

PLUGIN Conversational Form Builder

CVE-2026-5395

HIGH CVSS 8.2 2026-05-14
Open Full Technical Breakdown
Threat Entry Updated 2026-05-13

CVE-2026-6828 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'permission_message' parameter in all versions up to, and including, 6.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Conversational Form Builder

CVE-2026-6828

MEDIUM CVSS 6.4 2026-05-13
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-4160 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").

PLUGIN Conversational Form Builder

CVE-2026-4160

MEDIUM CVSS 5.3 2026-04-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-08

CVE-2025-13722 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary forms via the publicly exposed AI builder.

PLUGIN Conversational Form Builder

CVE-2025-13722

MEDIUM CVSS 5.3 2026-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13748 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier.

PLUGIN Conversational Form Builder

CVE-2025-13748

MEDIUM CVSS 5.3 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-09-04

CVE-2025-9260 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization of untrusted input in the parseUserProperties function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to read arbitrary files. If allow_url_include is enabled on the server, remote code execution is possible. While the vendor patched this issue in version 6.1.0, the patch caused…

PLUGIN Conversational Form Builder

CVE-2025-9260

MEDIUM CVSS 6.5 2025-09-03
Open Full Technical Breakdown
Threat Entry Updated 2025-03-22

CVE-2024-13666 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 5.2.12 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers spoof their IP address and submit forms that may have IP-based restrictions.

PLUGIN Conversational Form Builder

CVE-2024-13666

MEDIUM CVSS 5.3 2025-03-22
Open Full Technical Breakdown
Scroll to top